patch for ssh-1.2.18
Mitchell Blank Jr
(My apologies for posting this to the newsgroup AND the mailing list.
Obviously it's timely information)
Here is my patch to ssh-1.2.18 to implement rot13 encryption. To use it,
you need to configure --with-rot13. It is off by default.
Enjoy, and happy holiday.
-Mitchell Blank Jr
mi...@execpc.com
Exec-PC, Systems Administration
diff -cwr ssh-1.2.18-VIRGIN/cipher.c ssh-1.2.18-ROT13/cipher.c
*** ssh-1.2.18-VIRGIN/cipher.c Thu Mar 27 00:04:13 1997
--- ssh-1.2.18-ROT13/cipher.c Mon Mar 31 23:18:53 1997
***************
*** 59,68 ****
#include "ssh.h"
#include "cipher.h"
/* Names of all encryption algorithms. These must match the numbers defined
int cipher.h. */
static char *cipher_names[] =
! { "none", "idea", "des", "3des", "tss", "arcfour", "blowfish" };
/* Returns a bit mask indicating which ciphers are supported by this
implementation. The bit mask has the corresponding bit set of each
--- 59,79 ----
#include "ssh.h"
#include "cipher.h"
+ #ifdef WITH_ROT13
+ void rot13cpy(char *dest,char *src,unsigned len) {
+ while(len--) {
+ if((*src>='a')&&(*src<='m')) *dest=(*src)+13;
+ else if((*src>='n')&&(*src<='z')) *dest=(*src)-13;
+ else if((*src>='A')&&(*src<='M')) *dest=(*src)+13;
+ else if((*src>='N')&&(*src<='Z')) *dest=(*src)-13;
+ else *dest=*src;
+ dest++, src++; }; }
+ #endif
+
/* Names of all encryption algorithms. These must match the numbers defined
int cipher.h. */
static char *cipher_names[] =
! { "none", "idea", "des", "3des", "tss", "arcfour", "blowfish", "rot13" };
/* Returns a bit mask indicating which ciphers are supported by this
implementation. The bit mask has the corresponding bit set of each
***************
*** 97,102 ****
--- 108,117 ----
#ifdef WITH_BLOWFISH
mask |= 1 << SSH_CIPHER_BLOWFISH;
#endif /* WITH_BLOWFISH */
+
+ #ifdef WITH_ROT13
+ mask |= 1 << SSH_CIPHER_ROT13;
+ #endif /* WITH_ROT13 */
return mask;
}
***************
*** 249,254 ****
--- 264,273 ----
blowfish_set_key(&context->u.blowfish, key, keylen, for_encryption);
break;
#endif /* WITH_BLOWFISH */
+ #ifdef WITH_ROT13
+ case SSH_CIPHER_ROT13:
+ break;
+ #endif /* WITH_ROT13 */
default:
fatal("cipher_set_key: unknown cipher: %d", cipher);
}
***************
*** 305,310 ****
--- 324,335 ----
break;
#endif /* WITH_BLOWFISH */
+ #ifdef WITH_ROT13
+ case SSH_CIPHER_ROT13:
+ rot13cpy(dest, src, len);
+ break;
+ #endif
+
default:
fatal("cipher_encrypt: unknown cipher: %d", context->type);
}
***************
*** 360,365 ****
--- 385,396 ----
break;
#endif /* WITH_BLOWFISH */
+ #ifdef WITH_ROT13
+ case SSH_CIPHER_ROT13:
+ rot13cpy(dest, src, len);
+ break;
+ #endif
+
default:
fatal("cipher_decrypt: unknown cipher: %d", context->type);
}
diff -cwr ssh-1.2.18-VIRGIN/cipher.h ssh-1.2.18-ROT13/cipher.h
*** ssh-1.2.18-VIRGIN/cipher.h Thu Mar 27 00:04:14 1997
--- ssh-1.2.18-ROT13/cipher.h Mon Mar 31 23:06:48 1997
***************
*** 72,77 ****
--- 72,78 ----
#define SSH_CIPHER_TSS 4 /* TRI's Simple Stream encryption CBC */
#define SSH_CIPHER_ARCFOUR 5 /* Arcfour */
#define SSH_CIPHER_BLOWFISH 6 /* Bruce Schneier's Blowfish */
+ #define SSH_CIPHER_ROT13 7
typedef struct {
unsigned int type;
diff -cwr ssh-1.2.18-VIRGIN/config.h.in ssh-1.2.18-ROT13/config.h.in
*** ssh-1.2.18-VIRGIN/config.h.in Thu Mar 27 00:04:06 1997
--- ssh-1.2.18-ROT13/config.h.in Mon Mar 31 23:01:43 1997
***************
*** 251,256 ****
--- 251,257 ----
#undef WITH_ARCFOUR
#undef WITH_BLOWFISH
#undef WITH_NONE
+ #undef WITH_ROT13
/* Define this to include libwrap (tcp_wrappers) support. */
#undef LIBWRAP
diff -cwr ssh-1.2.18-VIRGIN/configure ssh-1.2.18-ROT13/configure
*** ssh-1.2.18-VIRGIN/configure Thu Mar 27 00:04:06 1997
--- ssh-1.2.18-ROT13/configure Mon Mar 31 23:01:58 1997
***************
*** 28,33 ****
--- 28,36 ----
--with-arcfour Include arcfour (DO NOT ENABLE, unless you know the security implications of this settings. See README.CIPHERS for more info).
--without-arcfour Don't include arcfour (default)"
ac_help="$ac_help
+ --with-rot13 Include rot13 (DO NOT ENABLE).
+ --without-rot13 Don't include rot13 (default)"
+ ac_help="$ac_help
--with-tss Include TSS encryption algorithm.
--without-tss Don't include TSS (default)"
ac_help="$ac_help
***************
*** 5460,5466 ****
--- 5463,5490 ----
fi
+ echo $ac_n "checking whether to include the ROT13 encryption algorithm""... $ac_c" 1>&6
+ echo "configure:5443: checking whether to include the ROT13 encryption algorithm" >&5
+ # Check whether --with-rot13 or --without-rot13 was given.
+ if test "${with_rot13+set}" = set; then
+ withval="$with_rot13"
+ case "$withval" in
+ yes)
+ echo "$ac_t""yes" 1>&6
+ cat >> confdefs.h <<\EOF
+ #define WITH_ROT13 1
+ EOF
+ ;;
+ *)
+ echo "$ac_t""no" 1>&6
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
echo $ac_n "checking whether to include the TSS encryption algorithm""... $ac_c" 1>&6
echo "configure:5466: checking whether to include the TSS encryption algorithm" >&5
# Check whether --with-tss or --without-tss was given.
diff -cwr ssh-1.2.18-VIRGIN/configure.in ssh-1.2.18-ROT13/configure.in
*** ssh-1.2.18-VIRGIN/configure.in Thu Mar 27 00:04:06 1997
--- ssh-1.2.18-ROT13/configure.in Mon Mar 31 23:19:45 1997
***************
*** 934,939 ****
--- 934,955 ----
AC_MSG_RESULT(no)
)
+ AC_MSG_CHECKING(whether to include the ROT13 encryption algorithm)
+ AC_ARG_WITH(rot13,
+ [ --with-rot13 Include rot13 (DO NOT ENABLE).
+ --without-rot13 Don't include rot13 (default)],
+ [ case "$withval" in
+ yes)
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(WITH_ROT13)
+ ;;
+ *)
+ AC_MSG_RESULT(no)
+ ;;
+ esac ],
+ AC_MSG_RESULT(no)
+ )
+
AC_MSG_CHECKING(whether to include the TSS encryption algorithm)
AC_ARG_WITH(tss,
[ --with-tss Include TSS encryption algorithm.
Common subdirectories: ssh-1.2.18-VIRGIN/gmp-2.0.2-ssh-2 and ssh-1.2.18-ROT13/gmp-2.0.2-ssh-2
diff -cwr ssh-1.2.18-VIRGIN/ssh.c ssh-1.2.18-ROT13/ssh.c
*** ssh-1.2.18-VIRGIN/ssh.c Thu Mar 27 00:04:10 1997
--- ssh-1.2.18-ROT13/ssh.c Mon Mar 31 23:21:02 1997
***************
*** 256,261 ****
--- 256,264 ----
#ifdef WITH_BLOWFISH
"``blowfish'', "
#endif /* WITH_BLOWFISH */
+ #ifdef WITH_ROT13
+ "``rot13'', "
+ #endif /* WITH_ROT13 */
"``3des''\n");
fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n");
fprintf(stderr, " -P Dont use priviledged source port.\n");
diff -cwr ssh-1.2.18-VIRGIN/sshd.c ssh-1.2.18-ROT13/sshd.c
*** ssh-1.2.18-VIRGIN/sshd.c Thu Mar 27 00:04:08 1997
--- ssh-1.2.18-ROT13/sshd.c Mon Mar 31 23:21:55 1997
***************
*** 1842,1847 ****
--- 1842,1853 ----
log_msg("RhostsRsa authentication not available for session encrypted with arcfour.");
break;
}
+ if (cipher_type == SSH_CIPHER_ROT13)
+ {
+ packet_get_all();
+ log_msg("RhostsRsa authentication not available for session encrypted with rot13.");
+ break;
+ }
/* Get client user name. Note that we just have to trust the client;
root on the client machine can claim to be any user. */
Mitchell Blank Jr
Magnus Bergman
In article <1997040100...@execpc.com>,
mi...@execpc.com (Mitchell Blank Jr) writes:
>
>Here is my patch to ssh-1.2.18 to implement rot13 encryption. To use it,
>you need to configure --with-rot13. It is off by default.
Why would you want to run rot13 ? And could you really call it
encryption?
Regards //Tri
Pekka Kytölaakso
tri...@unix.pp.se (Magnus Bergman) wrote:
> In article <1997040100...@execpc.com>,
> mi...@execpc.com (Mitchell Blank Jr) writes:
> >
> >Here is my patch to ssh-1.2.18 to implement rot13 encryption. To use it,
> >you need to configure --with-rot13. It is off by default.
>
> Why would you want to run rot13 ? And could you really call it
> encryption?
>
> Regards //Tri
I think it's just about perfect thing to post on April fools day
(about as usefull as IP encapsulation in postcards or any other
1st April RFC's)!
PekkaK
PS for this week (and any first few days of April B-) remember
to allways check the date and run everything through a joke filter!
Doug Siebert
schn...@voicenet.com (Matthew Schnierle) writes:
>In article <5hreg9$gl$1...@nntp01.news.se.dataphone.net>,
>Magnus Bergman <tri...@unix.pp.se> wrote:
>>In article <1997040100...@execpc.com>,
>> mi...@execpc.com (Mitchell Blank Jr) writes:
>>>
>>>Here is my patch to ssh-1.2.18 to implement rot13 encryption. To use it,
>>>you need to configure --with-rot13. It is off by default.
>>
>>Why would you want to run rot13 ? And could you really call it
>>encryption?
>Err, check the date.
Check where he's posting from. April 1st doesn't have special meaning to
every country in the world. Us Americans drive the rest of the world nuts
every year on this day :)
Its rather like if a lot of people from China starting talking about the new
year on some day that isn't remotely close to Jan. 1st. (You know the old
joke about the guy who knows it is now the "year of the rat" but keeps
writing the "year of the dog" on his checks by mistake)
--
Douglas Siebert Director of Computing Facilities
douglas...@uiowa.edu Division of Mathematical Sciences, U of Iowa
Don't take life too seriously or you'll never get out of it alive.
David L. Sifry
Magnus Bergman wrote:
>
> In article <1997040100...@execpc.com>,
> mi...@execpc.com (Mitchell Blank Jr) writes:
> >
> >it, you need to configure --with-rot13. It is off by default.
>
> encryption?
Thanks, that patch made my April 1st.
Dave
--
Dave Sifry http://www.sifry.com
da...@sifry.com (408) 471-0667 (voice) (408) 471-0666 (fax)
The power of a concept to change people's lives for the better.
Helmut Springer
Magnus Bergman wrote:
> >Here is my patch to ssh-1.2.18 to implement rot13 encryption. To use it,
> >you need to configure --with-rot13. It is off by default.
>
> Why would you want to run rot13 ? And could you really call it
> encryption?
cheers
delta
--
helmut 'delta' springer Unix/Net Consulting, InfoSystems, StudBox
de...@RUS.Uni-Stuttgart.DE Stuttgart University, FRG
http://home.pages.de/~delta/
phone : +49 711 685-2003 "Freedom's just another word for
FAX : +49 711 685-2043 nothing left to lose" Kris Kristofferson
c...@deepeddy.com
--==_Exmh_1042409324P
Content-Type: text/plain; charset=us-ascii
> In article <5hreg9$gl$1...@nntp01.news.se.dataphone.net>,
> Magnus Bergman <tri...@unix.pp.se> wrote:
> >In article <1997040100...@execpc.com>,
> > mi...@execpc.com (Mitchell Blank Jr) writes:
> >>
> >>Here is my patch to ssh-1.2.18 to implement rot13 encryption. To use it,
> >>you need to configure --with-rot13. It is off by default.
> >
> >Why would you want to run rot13 ? And could you really call it
> >encryption?
>
> Err, check the date.
actually, this leads me to a legitimate question that's been bugging me for a
few days. Why is cipher "none" now disabled by default? There are times that
it's genuinely useful and rather it would be rather distressing to find it
missing at such times.
For instance, I back up systems using amanda (which has its own protocol for
doing the actual backup). Its protocol doesn't handle restorals howver, and
they suggest rsh I'd rather use ssh with no encryption than rsh so at least
I'm validated as really being root by the other end. ssh with encryption is
too slow, and I'm not worried about the data over the LAN in
this case anyway. As such, I'll be installing 1.2.18 with "none" reenabled
even though I rarely use it in that mode.
Chris
--
Chris Garrigues O- c...@DeepEddy.Com
Deep Eddy Internet Consulting +1 512 432 4046
609 Deep Eddy Avenue
Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/
--==_Exmh_1042409324P
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
iQB1AwUBM0GVcZaQnaaFII2dAQGpCQMAn10Nph77Cx03nObkKFeEUVfg+AX3Y4VA
apygOB+zgdC3SOQCNyirA2XD7uwIXuAj4FdnRITW/bKDT4MKbCHefjAJu5QhAtIS
rp5tqJRxGqVkjgbuAOHPEG0eDP5F8aIB
=9N9R
-----END PGP MESSAGE-----
--==_Exmh_1042409324P--
Jessica Koeppel
c...@DeepEddy.Com wrote:
>this case anyway. As such, I'll be installing 1.2.18 with "none" reenabled
>even though I rarely use it in that mode.
I will need to do this as well - i have some scripts that copy large
files between internal secure machines, and would like to continue
using ssh without encryption for this.
--jessica
Warner Losh
In message <5hrre8$c...@flood.weeg.uiowa.edu> Doug Siebert writes:
: Check where he's posting from. April 1st doesn't have special meaning to
: every country in the world. Us Americans drive the rest of the world nuts
: every year on this day :)
The tradition goes back to when the first of the year was moved from
April 1 to Jan 1. It is a european thing, so I would suspect the .se
(sweeden) would at least be familiar with it. Those that continued to
celebrate the new year were called April Fools.
However, a tome on this subject is not relevant to this group, so I'll
stop here.
Warner
Tero Kivinen
c...@deepeddy.com writes:
> actually, this leads me to a legitimate question that's been bugging
> me for a few days. Why is cipher "none" now disabled by default?
> There are times that it's genuinely useful and rather it would be
> rather distressing to find it missing at such times.
There are also attacks that can use your .shosts etc files to login as
you to other machine if combined with active network attack and cipher
none is allowed.
> For instance, I back up systems using amanda (which has its own protocol for
> doing the actual backup). Its protocol doesn't handle restorals howver, and
> they suggest rsh I'd rather use ssh with no encryption than rsh so at least
> I'm validated as really being root by the other end. ssh with encryption is
> too slow, and I'm not worried about the data over the LAN in
> this case anyway. As such, I'll be installing 1.2.18 with "none" reenabled
> even though I rarely use it in that mode.
If you have fast enough machines with spare cpu cycles the blowfish
encryption should be almost fast enough to fill the 10 Mbit ethernet.
On 166 MHz pentium it can encrypt and decrypt on the same machine at
the same time little less than 700 kBytes / second. That is usually
much more than DAT or other tape devices can put to tape anyway.
--
kiv...@iki.fi Work : +358-9-451 4032
Magnus Enckellin kuja 9 K 19, 02610, Espoo Home : +358-9-502 1573
C. v. Stuckrad
On Sun, 6 Apr 1997, Tero Kivinen wrote:
> c...@deepeddy.com writes:
> > actually, this leads me to a legitimate question that's been bugging
> > me for a few days. Why is cipher "none" now disabled by default?
> > There are times that it's genuinely useful and rather it would be
> > rather distressing to find it missing at such times.
> If you have fast enough machines with spare cpu cycles the blowfish
> encryption should be almost fast enough to fill the 10 Mbit ethernet.
> On 166 MHz pentium it can encrypt and decrypt on the same machine at
> the same time little less than 700 kBytes / second. That is usually
> much more than DAT or other tape devices can put to tape anyway.
Alas we have only a small SUN (old sparc2 I think) which normally has no
problem to drive the 10-exabyte stacker, but will need more than 50hours
for writing about two gigabytes if accessed via 'ssh -c blowfish' on our
(also very crowded) ethernet. The approximate time of 50h was never really
tested, but we have tried dump-increments of 200Mbyte and the whole
partition would be 2G.
So lacking another way we too re-installed '--with-none' for now.
But the remaining question is, given a ssh-connection with '-c none',
is it possible to 'steal the keys' of the user who connects ?
Then the only relative secure way may be for example to
1) use ssh to start some one-time-working receiver (like faucet/hose)
2) run the tape via the receiver and without compression/authentication.
or
1) create an '.rhosts' file which allows 'this' user@host to dump
2) start the remote-tape-utility (implying rsh)
3) remove the .rhosts (even while the tape runs on)
This may reduce the time of insecurity while it may be more(?) secure
than risking to compromise the security of the ssh keys ?
Just an idea, Stucki
Christoph von Stuckrad * * | talk to | <stu...@math.fu-berlin.de> \
Freie Universitaet Berlin |/_* | nickname | ...!unido!fub!leibniz!stucki|
Fachbereich Mathematik, EDV |\ * | 'stucki' | Tel:+49 30 838-7545{9|8} |
Arnimallee 2-6/14195 Berlin * * | on IRC | Fax:+49 30 838-5913 /
Peter da Silva
In article <vpg1x23...@dogbert.tivoli.com>,
Firebeard <stend+c.se...@sten.org> wrote:
> I understand that triple rot13 is much more secure, while
> still meeting the 40-bit limit of the Commerce Department.
Doctor Kibo recently proved that ROT-39 could be treated as a special
case of ROT-13. The Captain Midnight Secret Decoder Ring cipher, however,
isn't subject to this attack.
--
The Reverend Peter da Silva, ULC, COQO, BOFH, KIBO.
Har du kramat din varg, idag? `-_-'
(how do you say "We are all Kibo" in Norwegian?)
Doug Siebert
stend+c.se...@sten.org (Firebeard) writes:
> I understand that triple rot13 is much more secure, while
>still meeting the 40-bit limit of the Commerce Department.
Screw the commerce department, I do triple triple triple rot13 _twice_. Now
that's some real security!!
Terje Malmedal
[Peter da Silva]
> In article <vpg1x23...@dogbert.tivoli.com>,
> Firebeard <stend+c.se...@sten.org> wrote:
>> I understand that triple rot13 is much more secure, while
>> still meeting the 40-bit limit of the Commerce Department.
> Doctor Kibo recently proved that ROT-39 could be treated as a special
> case of ROT-13. The Captain Midnight Secret Decoder Ring cipher, however,
> isn't subject to this attack.
What I really need though, is a ROT variant which also works with
ISO8859-P1.
> (how do you say "We are all Kibo" in Norwegian?)
Vi er alle Kibo.
--
- Terje
malm...@usit.uio.no
John Ladwig
>>>>> On 07 Apr 1997 10:25:26 -0500, stend+c.se...@sten.sten.org (Firebeard) said:
>>>>> Magnus Bergman writes:
MB> In article <1997040100...@execpc.com>, mi...@execpc.com
MB> (Mitchell Blank Jr) writes:
>>> Here is my patch to ssh-1.2.18 to implement rot13 encryption. To
>>> use it, you need to configure --with-rot13. It is off by default.
MB> Why would you want to run rot13 ? And could you really call it
MB> encryption?
F> I understand that triple rot13 is much more secure, while
F> still meeting the 40-bit limit of the Commerce Department.
Two-key triple-rot13 in EDE mode will only give you 26 bits.
-jml *HTH*